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REMARKS 

In a final Office Action dated June 3, 2005, the Examiner rejects claims 1-26. 
However, Applicants respectfully point out that claims 1-11, 13-17, 19-23, 25-26 (all 
pending claims) are the only claims pending in this application. Claims 12,18, and 24 
were cancelled in a response to an Office Action submitted on 24 February 2004. In 
response to the Office Action, Applicants respectfully traverses the rejection. Claims 1- 
11, 13-17, 19-23, and 25-26 remain in the Application. In light of the following 
arguments, Applicants respectfully request that this Application be allowed. 

In the Office Action, the Examiner rejects claim 1 under 35 U.S.C. §103 (a) as 
being unpatentable over U.S. Patent Number 6,574,666 Bl issued to Dutta (Dutta) in 
view of U. S. Patent number 6,658,571 Bl issued to O'Brien et al (O'Brien). In order to 
maintain a rejection the Examiner has the burden of providing evidence of prima facie 
obviousness. See MPEP §2143. See also In Re Vaeck. 947 F.2d 488, 20 USPQ2d 1438 
(Fed. Cir. 1991). In order to prove prima facie obviousness, the Examiner must provide 
evidence in the prior art of a motivation to combine or modify a reference, a reasonable 
expectation of success, and a teaching of each and every claimed element. Id. 
Applicants assert the examiner has failed to provide evidence of a teaching of each and 
every claimed element or evidence of a proper motivation to combine the references. 

In the Office Action the Examiner asserts that transmitting of a packet from a 
firewall core to at least one inspection module is not recited in the claims. However, the 
claim states that the firewall core provides packets to at least one inspection module. 
Applicants do not see the difference between the transmitting and provides. However, 
Applicants have amended the argument to mirror the words recited in the claim. 

The Examiner also states that the modules testing the packets is not recited in the 
claims. However, the claim clearly states the modules are configured to inspect the 
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packets which is testing the packets. Applicants have again amended the following 
argument to recite the exact wording of the claim to clarify the element that the 
applicant is arguing is not taught. 

Furthermore, the Examiner states that the monitoring of packets is not recited in 
the claim. One skilled in the art will recognize that a firewall device having a plurality of 
communication interfaces is used to transmit data packets between devices. Although 
the monitoring of data packets between devices is not explicitly stated, one skilled in the 
art will know the difference between data packets and systems calls. Furthermore, one 
skilled in the art will recognize that a data packet received on a communication interface 
is being sent between systems. Thus, the difference argued is in the claim. 

The Examiner also states that the pertinent rule that is fetched is a module. 
Applicants cannot see how the Examiner can make this statement. One skilled in the art 
will know the difference between a rule stored in a library and a module which is set of 
software instructions for performing a function. Applicants are pointing out these are 
two different entities. Thus, Dutta does not teach the module recited in claim 1. 
Applicant again set forth the following arguments with the above mentioned 
corrections. 

Applicants maintain that Dutta does not teach the firewall system recited in claim 
1. Specifically, Dutta does not teach an inspection module that receives packets and 
provides protocol inspection of the packets. Furthermore, the inspection module may be 
added during operation of the firewall core. The Examiner has found the arguments to 
this point to be persuasive. However, the Examiner has ignored this point in the new 
rejection as the same references to Dutta teaching this limitation are again recited in the 
new rejection. Therefore, Applicants will again set forth the argument previously 
presented to show that Dutta does not teach this limitation. 



9 



Docket No.: CISCO-1935 

Applicants want to point out that the gist of Applicant's argument is that Dutta 
does not teach that the firewall contains two different modules that perform different 
functions, namely, the firewall core and the at least one inspection module. The firewall 
core provides packets to at least one inspection module. The Dutta teaching does not 
teach this feature. Dutta teaches the firewall either applies a rule or retrieves a rule and 
applies the rule to a packet. There is no teaching whatsoever of providing the packet to 
an inspection module that then inspects. Therefore, Dutta does not teach all of the 
claimed elements as arranged in the claim. The following remarks highlight that all of the 
limitations are not taught and therefore are asserted again for the Examiner's 
consideration. 

Claim 1 recites at least one inspection module coupled for communication to said 
firewall core, each said at least one inspection module configured to provide protocol 
inspection of data packets to said firewall core, said firewall core configured to receive 
data packets from said plurality of communication interfaces and communicate said 
packets to said at least one inspection module for inspection, said at least one inspection 
module is further configured to be installed during the operation of the firewall system. 
Dutta does not teach this limitation. Instead, Dutta teaches a firewall system in which 
rules in a database may be retrieved by a firewall system to test the packets. In claim 1, 
the firewall core provides the packets to an inspection module that inspects the packet. 
Each module is software that is being executed to perform inspection of a packet. 
Applicant cannot find any mention in Dutta of the use of different modules to inspect 
packets in a firewall system. 
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The Examiner states that an inspection module is taught by Col. 5, lines 1-12 
which states: 

... (the executing fetching instructions), which in 
one embodiment is also implemented in the kernel, and in 
another embodiment is implemented at the application 
layer. The fetching process retrieves a pertinent rule and 
sends it to the firewall process, which loads it at the firewall. 
This embodiment advantageously separates the functions 
of the traditional firewall from retrieving a rule by the 
firewall for a packet. This keeps the firewall instructions 
relatively simple, and a maintains a certain level of security 
by separating the firewall process from interactions with 
e.g. an external database from which rules are to be 
retrieved to be loaded at the firewall. 

Applicants do not see anything in this recited section that teaches an inspection 
module that provides inspection of packets for a firewall core. Instead, cited section 
teaches a firewall process for testing packets that has a separate fetching function that 
retrieves rules for testing to be used by a firewall process. There is no mention of a 
separate inspection modules for inspecting packets as recited in claim 1. Furthermore, 
there is no mention of new inspection modules that may be loaded during execution of 
the firewall process. Thus, the at least one inspection module recited in claim 1 is not 
taught by Dutta. 

O'Brien also does not teach at least one inspection module coupled for 
communication to said firewall core, each said at least one inspection module configured 
to provide protocol inspection of data packets to said firewall core, said firewall core 
configured to receive data packets from said plurality of communication interfaces and 
communicate said packets to said at least one inspection module for inspection, said at 
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least one inspection module is further configured to be installed during the operation of 
the firewall system as recited in claim 1. Instead O'Brien teaches modules that grant or 
deny access of resources to software applications based upon the application requesting 
a resource or the resource being requested. See Col. 3, lines 41-43. The modules 
monitor system calls made by applications and permit access to resources based upon 
system calls. See Col. 5 5 line 45-Col. 6, line 17. There is no mention anywhere in the 
O'Brien document of modules that monitor packets being sent between systems as in a 
firewall device. Thus, O'Brien does not teach the inspection module recited in amended 
claim 1. 

Since neither Dutta nor O'Brien teaches the inspection module recited in a claim 
1. Applicants request that this rejection be removed and claim 1 be allowed. 

Even if the combination of Dutta and O'Brien teaches the inspection module 
claimed in claim 1, the Examiner has not provided evidence of a motivation to combine 
the references. As stated in the MPEP and case law, "The mere fact that references can 
be combined or modified does not render the resulting combination obvious unless the 
prior art suggests desirability of the combination." See In re Mill, 916 F2d 680 (Fed. Cir. 
1990). See also MPEP §2143.01. In the Office Action, the Examiner merely asserts that 
one skilled in the art would use security modules to reduce damage caused by malicious 
software without additional software. First, there is no support for this statement in 
either reference. Second, O'Brien standing alone solves the problem stated. See 
Abstract. Thus, applicant requests that the Examiner provide prior art showing this 
motivation. 

Furthermore, case law and the MPEP require the proposed modification cannot 
render the prior art unsatisfactory for its intended purpose. See MPEP §2143.01. See 
also In re Gordon . 733 F2d 900 (Fed. Cir 1984). If the purposed modification were made 



12 



Docket No.: CISCO-1935 

the firewall of Dutta would include security modules that monitor systems calls to restrict 
access to resource by software. This does not improve the unauthorized access to the 
system prevented by the firewall in Dutta. Furthermore, there is no improvement of 
restricting access to resources by monitoring the packets received by the system. Dutta 
and O'Brien are providing two different forms of security. Both systems are adequate 
for their intended purpose and combining the two would add a second function to each 
system. Thus, the combination is not permitted. 

Furthermore, it appears the Examiner is using impermissible hindsight engineering 
to make the combination. The Examiner had previously found that Dutta taught some 
of the functions of claim 1 . When Applicants pointed out that the inspection modules of 
claim 1 inspected the packets and could be added at run time, the Examiner merely 
found a reference that taught modules that had nothing whatsoever to do with a firewall 
and added the reference merely for the teaching of the module regardless that the 
modules did not inspect packets and were used for an entirely different function. For 
the above reasons, the combination is not supported by evidence and Applicants 
respectfully request the rejection of claim 1 be removed. 

Claims 2-5 are dependent upon claim 1. Thus, claims 2-5 are allowable for at least 
the same reasons as claim 1. Therefore, Applicants respectfully request that the 
rejections to claims 2-5 be removed and claims 2-5 be allowed. 

In the Office Action, the Examiner rejects claim 6 under 35 U.S.C. §103 (a) as 
being unpatentable over U.S. Patent Number 6,574,666 Bl issued to Dutta (Dutta) in 
view of U. S. Patent number 6,658,571 Bl issued to O'Brien et al (O'Brien). In order to 
maintain a rejection the Examiner has the burden of providing evidence of prima facie 
obviousness. See MPEP §2143. See also In Re Vaeck. 947 F.2d 488, 20 USPQ2d 1438 
(Fed. Cir. 1991). In order to prove prima facie obviousness, the Examiner must provide 



13 



Docket No.: CISCO-1935 

evidence in the prior art of a motivation to combine or modify a reference, a reasonable 
expectation of success, and a teaching of each and every claimed element. Id. 
Applicants assert that the Examiner has failed to provide a teaching of each and every 
claimed element and a motivation to combine the references. 

In the Office Action, the Examiner asserts that Applicants rely on a firewall core 
that monitors memory for new inspection modules that is not recited in the claims. 
However claims 6 recites wherein said firewall core being configured to monitor a 
memory to determine when a new inspection module is loaded into said memory. Thus, 
Applicants find no basis for this assertion. Thus, Applicants present the arguments again 
for Examiner's consideration. 

Claim 6 recites a firewall core that monitors a memory for inspection modules that 
are loaded into a memory during operation of the firewall system. Dutta does not teach 
this limitation. Instead, Dutta teaches a system that receives a packet, determines if a rule 
for testing the packet is in the firewall, and retrieving the rule from a database if the rule 
is not in the firewall. This is different from a core system that reads a memory to 
determine when a new module for performing tests is added to the memory. Thus, Dutta 
does not teach claim 6. Therefore, applicant requests that the rejection of claim 6 be 
removed and claim 6 be allowed. 

O'Brien also does not teach claim 6. Instead O'Brien teaches a security master 
that provides an application programming interface for the security modules used to 
register. In O'Brien the security modules must actively register with the master. While 
in claim 6, the call back functions are retrieved by the firewall core from a new module 
detected in active memory. Thus, O'Brien does not teach the call back function of claim 
6. Since neither Dutta nor O'Brien teach the callback functions recited in claim 6, the 
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combination does not teach the call back functions. Thus, Applicants respectfully 
request that the rejection of claim 6 be removed. 

Even if the combination of Dutta and O'Brien teaches the inspection module 
claimed in claim 6, the Examiner has not provided evidence of a motivation to combine 
the references. As stated in the MPEP and case law, "The mere fact that references can 
be combined or modified does not render the resulting combination obvious unless the 
prior art suggests desirability of the combination." See In re Mill, 916 F2d 680 (Fed. Cir. 
1990). See also MPEP §2143.01. In the Office Action, the Examiner merely asserts that 
one skilled in the art would use security modules to reduce damage caused by malicious 
software without additional software. First, there is no support for this statement in 
either reference. Second, O'Brien standing alone solves the problem stated. See 
Abstract. 

Furthermore, case law and the MPEP require the proposed modification cannot 
render the prior art unsatisfactory for its intended purpose. See MPEP §2143.01. See 
also In re Gordon . 733 F2d 900 (Fed. Cir 1984). If the purposed modification were 
made, the firewall of Dutta would include security modules that monitor system calls to 
restrict access to resources by software. This does not improve the unauthorized access 
to the system prevented by the firewall in Dutta. Furthermore, there is no improvement 
of restricting access to resources by monitoring the packets received by the system. 
Dutta and O'Brien are providing two different forms of security. Both systems are 
adequate for their intended purpose and combining the two would add a second 
function to each system. Thus, the combination is not permitted. 

Furthermore, it appears the Examiner is using impermissible hindsight engineering 
to make the combination. The Examiner had previously found that Dutta taught some 
of the functions of claim 6. When Applicants pointed out that the inspection modules of 
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claim 1 inspected the packets and could be added at run time, the Examiner merely 
found a reference that taught modules that had nothing whatsoever to do with a firewall 
and added the reference merely for the teaching of the module regardless the modules 
did not inspect packets and were used for an entirely different function. For the above 
reasons, the combination is not supported by evidence and Applicants respectfully 
request the rejection of claim 6 be removed. 

Claims 7-9 are dependent upon claim 6. Thus claims 7-9 are allowable for at least 
the same reasons as claim 6. Therefore, Applicants respectfully request that the 
rejections of claims 7-9 be removed and claims 7-9 be allowed. 

In the Office Action, the Examiner rejects claim 10 under 35 U.S.C. §103 (a) as 
being unpatentable over U.S. Patent Number 6,574,666 Bl issued to Dutta (Dutta) in 
view of U. S. Patent number 6,658,571 Bl issued to O'Brien et al (O'Brien). In order to 
maintain a rejection the Examiner has the burden of providing evidence of prima facie 
obviousness. See MPEP §2143. See also In Re Vaeck. 947 F.2d 488, 20 USPQ2d 1438 
(Fed. Cir. 1991). In order to prove prima facie obviousness, the Examiner must provide 
evidence in the prior art of a motivation to combine or modify a reference, a reasonable 
expectation of success, and a teaching of each and every claimed element. Id. 
Applicant asserts that the Examiner has failed to provide a teaching of each and every 
claimed element and a motivation to combine the references. 

Claim 10 recites a function table of an inspection module that is loaded into a 
memory monitored by the firewall core during operation of the firewall system. This is 
not taught by Dutta. Instead, Dutta teaches a system that can retrieve a rule for testing a 
packet when the rule is not currently in the firewall system. There is no mention of the 
firewall system having a core that monitors a memory for function tables of new 
inspection modules that can test packets in new types of protocols where the function 
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table gives call back function for providing packets to the inspection module for 
inspection. Thus, the function table recited in claim 10 is not taught by Dutta. 

O'Brien also does not teach the function table in claim 10 instead O'Brien 
teaches a security master that provides an application programming interface for the 
security modules used to register. In O'Brien the security modules must actively register 
with the master. While in claim 6, the call back functions are retrieved by the firewall 
core from a new module detected in active memory. Thus, O'Brien does not teach the 
function table recited by claim 10. Since neither Dutta nor O'Brien teach the callback 
functions recited in claim 10, the combination does not teach the call back functions. 
Thus, Applicants respectfully request that the rejection of claim 6 be removed. 

Even if the combination of Dutta and O'Brien teaches the function table claimed 
in claim 10, the Examiner has not provided evidence of a motivation to combine the 
references. As stated in the MPEP and case law, "The mere fact that references can be 
combined or modified does not render the resulting combination obvious unless the 
prior art suggests desirability of the combination." See In re Mill, 916 F2d 680 (Fed. Cir. 
1990). See also MPEP §2143.01. In the Office Action, the Examiner merely asserts that 
one skilled in the art would use security modules to reduce damage caused by malicious 
software without additional software. First, there is no support for this statement in 
either reference. Second, O'Brien standing alone solves the problem stated. See 
Abstract. 

Furthermore, case law and the MPEP require the proposed modification cannot 
render the prior art unsatisfactory for its intended purpose. See MPEP §2143.01. See 
also In re Gordon . 733 F2d 900 (Fed. Cir 1984). If the purposed modification were made 
the firewall of Dutta would include security modules that monitor system calls to restrict 
access to resources by software. This does not improve the unauthorized access to the 
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system prevented by the firewall in Dutta. Furthermore, there is no improvement of 
restricting access to resources by monitoring the packets received by the system. Dutta 
and O'Brien are providing two different forms of security. Both systems are adequate 
for their intended purpose and combining the two would add a second function to each 
system. Thus, the combination is not permitted. 

Furthermore, it appears the Examiner is using impermissible hindsight engineering 
to make the combination. The Examiner had previously found that Dutta taught some 
of the functions of claim 10. When Applicants pointed out that the inspection modules 
of claim 10 inspected the packets and could be added at run time, the Examiner merely 
found a reference that taught modules that had nothing whatsoever to do with a firewall 
and added the reference merely for the teaching of the module regardless that the 
modules did not inspect packets and were used for an entirely different function. For 
the above reasons, the combination is not supported by evidence and Applicants 
respectfully request the rejection of claim 10 be removed. Therefore, Applicants request 
that the rejection of claim 10 be removed and amended claim 10 be allowed. 

Claims 11, 13 and 14 depend from claim 10. Thus, claims 11, 13, and 14 are 
allowable for at least the same reasons as claim 10. Therefore, Applicants request that 
the rejections to claims 11, 13, and 14 be removed and claims 11, 13, and 14 be allowed. 

Claim 15 recites a method for loading an inspection module that is claimed in 
claim 10. Thus, claim 15 is allowable for at least the same reasons as claim 10. Thus, 
Applicants respectfully request that the rejection of claim 15 be removed and amended 
claim 15 be allowed. 

Claims 16, 17, 19 and 20 depend from claim 15. Thus, claims 16, 17, 19 and 20 are 
allowable for at least the same reasons as claim 15. Therefore, Applicants request that 
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the rejections to claims 16, 17, 19, and 20 be removed and claims 16, 17, 19, and 20 be 
allowed. 

Claim 21 claims a device that includes instructions for directing a computer to 
perform the method of claim 15. Thus claim 21 is allowable for at least the same reason 
as claim 15. Therefore, Applicants respectfully request that rejection of claim 21 be 
allowed and amended claim 21 be allowed. 

Claims 22, 23, 25 and 26 depend from claim 21. Thus, claims 22, 23, 25 and 26 are 
allowable for at least the same reasons as claim 21. Therefore, Applicants request that 
the rejections to claims 22, 23, 25, and 26 be removed and claims 22, 23, 25, and 26 be 
allowed. 

If the Examiner has any questions regarding this application or this response, the 
Examiner is invited to telephone the undersigned at the below number. 

Dated: August 3, 2005 Respectfully submitted, 
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